Published: 24/08/2015 Updated: 03/10/2017

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

contrib.sessions.middleware.SessionMiddleware in Django 1.8.x prior to 1.8.4, 1.7.x prior to 1.7.10, 1.4.x prior to 1.4.22, and possibly other versions allows remote malicious users to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout, which triggers the creation of an empty session record.

Vulnerable Product	Search on Vulmon	Subscribe to Product
djangoproject django 1.8.0
djangoproject django 1.8.1
djangoproject django 1.7
djangoproject django 1.7.7
djangoproject django 1.7.8
djangoproject django 1.4.13
djangoproject django 1.4.14
djangoproject django 1.4.5
djangoproject django 1.4.6
djangoproject django 1.8.2
djangoproject django 1.8.3
djangoproject django 1.7.1
djangoproject django 1.7.9
djangoproject django 1.4
djangoproject django 1.4.17
djangoproject django 1.4.19
djangoproject django 1.4.7
djangoproject django 1.4.8
djangoproject django 1.7.2
djangoproject django 1.7.3
djangoproject django 1.4.1
djangoproject django 1.4.10
djangoproject django 1.4.2
djangoproject django 1.4.20
djangoproject django 1.4.9
djangoproject django 1.8
djangoproject django 1.7.4
djangoproject django 1.7.5
djangoproject django 1.7.6
djangoproject django 1.4.11
djangoproject django 1.4.12
djangoproject django 1.4.21
djangoproject django 1.4.4
oracle solaris 11.3
canonical ubuntu linux 14.04
canonical ubuntu linux 15.04
canonical ubuntu linux 12.04

Debian Bug report logs - #796104 python-django: CVE-2015-5963 CVE-2015-5964 Package: src:python-django; Maintainer for src:python-django is Debian Python Modules Team <python-modules-team@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 19 Aug 2015 14:00:02 UTC Severity: impo ...

Django could be made to crash if it received specially crafted network traffic ...

Lin Hua Cheng discovered that a session could be created when anonymously accessing the djangocontribauthviewslogout view This could allow remote attackers to saturate the session store or cause other users' session records to be evicted Additionally the contribsessionsbackendsbaseSessionBaseflush() and cache_dbSessionStoreflush() meth ...

It was found that Django incorrectly handled the session store A session could be created by anonymously accessing the djangocontribauthviewslogout view if it was not decorated correctly with djangocontribauthdecoratorslogin_required A remote attacker could use this flaw to fill up the session store or cause other users' session records t ...

CWE-399 https://www.djangoproject.com/weblog/2015/aug/18/security-releases/http://www.ubuntu.com/usn/USN-2720-1 http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html http://www.securityfocus.com/bid/76428 http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.html http://rhn.redhat.com/errata/RHSA-2015-1894.html http://rhn.redhat.com/errata/RHSA-2015-1767.html http://rhn.redhat.com/errata/RHSA-2015-1766.html http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html http://lists.opensuse.org/opensuse-updates/2015-09/msg00026.html http://www.securitytracker.com/id/1033318 http://www.debian.org/security/2015/dsa-3338 https://access.redhat.com/errata/RHSA-2015:1876 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796104 https://usn.ubuntu.com/2720-1/https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2015-5963

CVE-2015-5963

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect